Full Disclosure mailing list archives
(CVE-2014-1648) Symantec Messaging Gateway Management Console Cross Site Scripting Vulnerability
From: William Costa <william.costa () gmail com>
Date: Tue, 22 Apr 2014 14:00:41 -0300
I. VULNERABILITY ------------------------- Reflected XSS Attacks vulnerability in Symantec Messaging Gateway Version 10.5.1 II. BACKGROUND ------------------------- Symantec Corporation is an American computer security, backup and availability solutions software corporation headquartered in Mountain View, California, United States. It is a Fortune 500 company and a member of the S&P 500 stock market index III. DESCRIPTION ------------------------- Has been detected a Reflected XSS vulnerability in Messaging Gateway Version. The code injection is done through the parameter "displayTab" in the page “/brightmail/setting/compliance/DlpConnectFlow$view.flo?displayTab=” IV. PROOF OF CONCEPT ------------------------- The application does not validate the parameter “operand[]” correctly. https://10.200.210.143/brightmail/setting/compliance/DlpConnectFlow$view.flo?displayTab=aaaaa')</script><script>alert(“XSS”)</script><script>{(' V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or script code in a targeted user's browser, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. VI. SYSTEMS AFFECTED ------------------------- Tested in Symantec Messaging Gateway Version 10.5.1 VMWare VII. SOLUTION ------------------------- Upgrade Symantec Messaging Gateway 10.5.2 VIII. References ------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140422_00 http://www.securityfocus.com/bid/66966/info By William Costa william.costa () gmail com _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- (CVE-2014-1648) Symantec Messaging Gateway Management Console Cross Site Scripting Vulnerability William Costa (Apr 22)